This blog post summarizes the analyses conducted in  I dati personali nell’Amministrazione pubblica, which focuses on the processing of personal data by public administrations. In carrying out their functions, public authorities increasingly rely on personal data to pursue institutional objectives while simultaneously safeguarding the rights of individuals whose data is being processed. This creates an inherent tension between the protection of data subjects and the need to achieve various public interests established by law. This tension is embedded in the dualism between the protection of natural persons and the free flow of data, which forms the foundation of Regulation (EU) No. 679/2016 (GDPR).

Against this backdrop, this blog post seeks to propose an interpretative approach that aligns with the specific features of personal data processing within the public sector.

1. From Secrecy to Data Protection (and Circulation)

Historically, administrative activity was primarily governed by the principle of secrecy, while private individuals could at most claim a right to confidentiality, enforceable in limited cases against public authorities and more frequently against third parties. Within this framework, data processing was largely unrestricted, except for specific public law constraints set by relevant regulations. Subsequent developments have progressively eroded these purely “defensive” positions, both for individuals and public administrations, in relation to data processing.

Public administrations have been subject to legislative reforms – also aimed at implementing the constitutional provisions within the context of organization and administrative activities – that have reshaped their activities around the principles of transparency, publicity, and openness as well as the more recent European normative framework regarding data. These reforms have strengthened public scrutiny of administrative actions while also increasing the significance of data reuse and open data initiatives.

At the same time, the private sphere has undergone a comparable shift. Moving beyond the traditional notion that the right to data protection equates to the right to privacy, legal developments have increasingly emphasized the individual’s autonomy and the principle of free data circulation. As a result, there is now a notable convergence between the public and private sectors, as both can facilitate the free movement of information within a framework of protection.

In this light, the GDPR should not be viewed solely as a protective legal instrument but also as a regulatory framework that fosters and promotes the circulation of information. For public administrations, this circulation materializes through data processing activities that are instrumental in achieving their institutional goals.

2. Public Administrations as Data Controllers

With regard to the processing of personal data by public authorities, the GDPR, when read in conjunction with national data protection legislation, appears to acknowledge specific characteristics that stem from the public nature of the data controller, whose actions are directed toward achieving general interest objectives.

First, a public administration carrying out an administrative function can justify data processing based on a legal provision establishing a public interest task or the exercise of public authority, without needing to rely on other legal bases.

Second, data subjects’ rights with respect to processing lose their “absolute satisfaction” structure when the processing serves the public interest.

Third, when processing is carried out by public authorities, the “one-stop-shop” mechanism—which facilitates cooperation between data protection authorities (DPAs) at the national level—does not apply. Instead, oversight of the processing remains within the competence of the DPA in the Member State where the public authority is located.

Fourth, an important GDPR provision grants individual Member States the discretion to decide whether or not to impose sanctions on public sector data controllers.

More broadly, the unique role of public administrations is shaped not only by the GDPR and national data protection laws but also by the legal frameworks governing transparency, openness, and digital administration. Within these regulatory landscapes, public administrations face the complex challenge of harmonizing various relevant legal provisions.

In this broader context, the processing of personal data by public authorities operates on two levels. On the one hand, it functions as a governance activity, aimed at defining ex-ante the different types of processing that will be carried out. This may also result in binding administrative acts that shape future actions. On the other hand, data processing takes place as an instrumental activity of the administration in support of either authoritative or non-authoritative administrative functions.

In both cases, public authorities must strike a balance between protecting individuals’ data and advancing the various public interests at stake.

3. The Role of DPA and Judicial Review

This approach, however, encounters resistance due to interpretative trends that, in practice, tend to equate public and private entities in terms of the application of data protection rules.

The Italian DPA frequently seems not to acknowledge this distinction fully, more than often applying data protection regulations more rigidly to public entities. Judicial review by ordinary courts offers only partial relief, as it tends to be more receptive to administrative needs in some cases but not systematically.

There is a noticeable gap between the legal framework—which appears to encourage collaboration between the DPA and public administrations—and the actual practice of the Italian DPA. Sometimes, the authority appears to overlook the public interest considerations that underpin data processing by public bodies.

Furthermore, collaborative approaches have been effectively precluded fromoversight activities due to specific legislative choices made by the Italian legislator. Even in the context of regulatory supervision, the Italian DPA prioritizes the protection of individuals over public interest considerations. This issue has been particularly evident in cases concerning data processing for administrative transparency.

For example, in its guidelines on the FOIA, the Italian Data Protection Authority presents privacy as a value that prevails over freedom of information. Moreover, it interprets the limitations on civic access to documents and information broadly – considering self-interested access requests inadmissible, despite the absence of any such limitation in the legal framework.

Judicial protection presents additional complexities. The system of legal remedies before ordinary courts seems designed to uphold the principle of equal treatment between public and private data controllers, yet it exhibits structural weaknesses. On the one hand, it suffers from inherent shortcomings – for example, procedural safeguards during sanctioning proceedings are not upheld in ordinary courts as they are before administrative judges; on the other, judicial oversight is fragmented, with different interpretative approaches depending on the competent court: administrative judges in cases involving a balance between the right of access and the right to privacy, and ordinary judges in other cases. This leads to an inconsistent balance between data protection and the pursuit of public interest.

Nevertheless, some noteworthy developments have emerged in disputes settled by administrative courts, where a greater emphasis is placed on achieving a fair and proportionate balance between data protection and public interest objectives.

4. The Need to Reconsider the Data Processing Framework in the Public Sector

The above analysis shows that when public administrations process personal data, they are not in the same position as private entities, as they must always consider how data protection aligns with the pursuit of the public interest, with the related implications also affecting the level of legal protection.This has several implications. First, public authorities must reconcile different public and private interests when processing data, navigating a series of challenges that may later become the subject of oversight by the DPA or judicial review.

For this reason, it is essential to avoid an overly rigid approach to data protection – one that treats it as absolute immunity from any form of interference in the private sphere.

Consider the case of COVID-19 contact tracing apps. In this context, the adoption of a particularly stringent data protection standard that restricts the processing of location data may conflict not only with individual protection interests, but also with the safeguarding of public health.Moreover, the frameworks set out in the Data Governance Act and the Data Act—particularly with respect to data reuse and data altruism—highlight the general need to promote data use in the public interest. Even prior to that, it is the GDPR itself that, in Article 1(3), affirms: “The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data”.

Methodologically, this calls for a shift away from viewing data protection principles and administrative law principles as separate or conflicting. Instead, they should be considered in an integrated manner.

This perspective is particularly important at the organizational level, as it allows for data protection compliance to be understood not as an additional bureaucratic burden but as a “component” of administrative functions.

Furthermore, this approach ensures a more balanced role for the DPA, which must take into account public administrations’ responsibilities under both data protection and administrative law. These considerations should also play a role in judicial review of data processing activities and decisions made by the Italian DPA.

Finally, this assessment of public-sector data processing raises broader reflections on the legal nature and scope of the right to data protection. In this sense, the right to personal data protection emerges as a subjective legal position that is not solely aimed at safeguarding the individual, but rather at reconciling individual protection with the need for the circulation of personal data. In the public sector, this entails a strong interaction between the protection of the individual and the pursuit of the public interest.

Posted by Simone Franca

—

Simone Franca is Assistant Professor of Administrative and Public Law at the University of Trento, Department of Law. He has been a visiting fellow at the MPIL of Heidelberg in 2018 and 2019. After attending the Academy of European Public Law (Athens-Sounion), he took the Intensive International Master of Law (I.I.LL.M) in European Public Law and was awarded with the “Luis Ortega” Thesis Prize.

This post discusses his book: “I dati personali nell’amministrazione pubblica. Attività di trattamento e tutela del privato” available in open access here.

His main research interests include judicial review of administrative action, data protection in the public sector, and nonprofit (third sector) law.